Ultimate QR Code Phishing (Quishing) Prevention Guide: Here's What the Research Says

How quishing/QR code phishing is being used in attacks, what these threats look like in the wild and best practices for avoiding them.

Post hero image

Table of contents

Reduce your human cyber risk
Hoxhunt's adaptive security training dramatically increases engagement and security resilience.
Learn more

In 2023, approximately 347,3 billion emails were sent daily, and phishing emails are the most common type of cybercrime.

In the UK, 83% of businesses who suffered a cybercrime say the attack was phishing. 

In the usual kill chain for phishing emails, malicious actors try to get the victim to either click a malicious link, download a malicious attachment, or attempt different kinds of financial fraud like getting the victim to transfer money.

Recently, there’s been a trend of including malicious QR codes in phishing emails to get victims to scan them and visit malicious websites.

Below we'll explore how QR codes are being used in phishing tactics, what these threats look like in the wild and best practices for avoiding them.

Editor’s note. We’ve replaced all malicious QR codes in this guide with ones leading to our domain for your own safety.

What are QR codes, and how do they work?

📚 Quick definition: A QR code is short for Quick Response code. They're two-dimensional barcodes you can scan using a smartphone by pointing your camera at it.

A QR code consists of black squares arranged on a white background in a square grid.

When you scan a QR code, your phone camera interprets this pattern and displays the information inside it.

The information can change from links to websites to contact details or even event information.

They offer a convenient way to display information and perform actions, and they're widely used for advertising, ticketing, authentication, and inventory management.

QR codes can be used to store information such as:

  • URLs: Direct users to websites or online resources.
  • Contact information: Provide vCards for easy contact saving.
  • Text: Display simple text messages.
  • Email addresses: Open email clients with pre-filled recipient addresses.
  • Phone numbers: Prompt the user to make a phone call.
  • Wi-Fi network details: Allow users to connect to Wi-Fi networks by scanning.
  • Payment information: Facilitate mobile payments and transactions.

While QR codes offer convenience, they also pose security risks.

Malicious QR codes can direct users to phishing websites or download malware onto their devices.

What is QR code phishing? And how do scammers use QR codes?

📚 Quick definition: Quishing (otherwise known as QR code phishing) is the term used to describe cyber attack where threat actors use malicious QR codes to deceive individuals and gain unauthorized access to sensitive information.

In phishing emails, threat actors use QR codes to deliver malicious links and bypass any possible filters.

The link hides within the code, and the victim has to scan it with their smartphone.

After scanning the code, the victim navigates to the malicious website using the provided link.

The websites usually contain credential harvesters.

Note: The term ‘quishing’ is often considered somewhat controversial since QR code phishing is a variation on the payload type, as opposed to terms like phishing/vishing/smishing - which are all variations on the vector delivery method.

Here's how scammers use QR codes in qr code phishing attacks...

Embedding malicious links

Attackers create QR codes that direct users to malicious websites designed to steal information, such as login credentials, credit card numbers, or other personal data.

🔎 Example: An employee might receive an email appearing to be from HR, offering a link to a new benefits portal. Scanning the QR code in the email redirects them to a fake login page that captures their credentials.

Disguising malware

QR codes can be used to initiate the download of malicious software onto a user’s mobile device.

This malware can then be used to steal data, monitor activity, or cause other harm.

🔎 Example: A QR code on a flier left in the office claims to offer a free app to improve productivity. Scanning the code prompts the download of malware that can monitor the employee's activities or access company data.

Fake payment portals

Scammers can use QR codes to redirect victims to fake payment portals where they are tricked into entering their payment details.

🔎 Example: An employee receives an email appearing to be from a trusted vendor with an attached invoice and a QR code for quick payment. Scanning the code directs them to a fraudulent payment site that captures their financial information.

Social engineering tactics:

Some scammers will exploit social engineering by placing QR codes in contexts that create a sense of urgency or curiosity, prompting users to scan without proper scrutiny.

🔎  Example: A QR code on a fake parking ticket left on an employee's car claims they need to pay a fine immediately. Scanning the code takes them to a phishing site that collects their payment information.

Real-life examples of QR code scams found by the Hoxhunt Team

Within our network, we regularly see several different phishing campaigns using malicious QR codes inside phishing emails.

The majority of the campaigns use Microsoft and MFA as themes.

The largest campaign we’ve encountered is a Microsoft impersonation requesting the users to scan the provided QR code to review a security update.

There’s a tight deadline for the recipient to complete the required task...

And they have instructions to scan the QR code in case some users aren’t familiar with them.

Microsoft quishing attack

Since the campaign was first seen, over a thousand users globally from over 100 different organizations have also reported this email campaign.

Other campaigns were reported within our network that use malicious QR codes, such as a different but similar Microsoft security update phish using MFA as a pretext.

MFA quishing email

Over ten different organizations reported the email above.

And through our network, we’ve also seen QR codes put into pretty much everywhere you could imagine.

Below are just a few examples of the QR code scams we tend to see.

DHL QR code phishing email
Quishing code for payment
Payroll quishing email

DocuSign quishing email

Practical steps for avoiding QR code scams

Your first line of defense when it comes to defending against QR code phishing is going to be to verify the legitimacy of possible phishing emails - like checking the sender’s domain and looking out for suspicious links.

Before doing anything, carefully check the email’s content.

When it comes to QR codes, you should start by making sure the email is legitimate.

If everything checks out, pointing your phone camera towards the QR code typically reveals the URL it leads to.

Remember to be cautious and avoid opening the link by mistake while doing this.

You should also be mindful of using QR code scanning applications - some might redirect you to fraudulent websites regardless of the QR code.

Not all QR codes are phishing scams...

But given that anyone could have made them and it being impossible to tell where they lead before scanning them, it might be worth removing them from your organization's communications altogether.

Below are a few concrete, proactive steps you can take to protect your employees against QR code scams.

Implement secure scanning practices

  • Trusted apps: Recommend employees to use reputable QR code scanning apps that have built-in security features to detect malicious content.
  • Verify before scanning: Instruct employees to verify the source of QR codes before scanning them, especially if they are found in unexpected places or sent via unsolicited emails.
  • Consider dropping QR codes from communications: Although all QR codes aren’t malicious, you may want to avoid using them in company communications due to how difficult it is to confirm their legitimacy.

Use multi-factor authentication (MFA)

  • MFA verification: Require employees to use MFA for accessing critical systems and information. This makes it more difficult for attackers to gain access even if they do manage to steal login credentials through qr code scams.
  • Frequent updates: Regularly update MFA methods and educate employees on the importance of using MFA for all work-related accounts.

Conduct regular security audits

  • Phishing simulations: Incorporate QR phishing attacks into your simulations to keep your employees up-to-date with the latest threats - more on how we do this at Hoxhunt below👇
  • Vulnerability scanning: Use tools to scan your company's network and systems for potential security gaps that could be exploited by QR code phishing attacks.

Make sure your email security practices cover QR code phishing

  • Email security tools: Use email security solutions that can detect and block phishing emails containing malicious QR codes before they reach employees' inboxes.
  • Clear reporting channels: Establish and promote clear procedures for reporting suspicious emails and QR codes, ensuring employees know how to act if they encounter potential phishing attempts.

QR code phishing on the rise: findings from our data

The Hoxhunt Challenge is a flagship project designed to quantify human cyber risk across the world’s biggest business industries.

Who was involved?

The benchmark test was executed in 38 participating organizations in nine different industries, operating out of 125 countries worldwide.

Collectively, this data set included almost 600,000 employees of varying levels of seniority.

How did it work?

The challenge worked a bit like a regular organizational phishing test...

Just on a much larger scale and including the latest threats.

We sent out real QR codes that, when scanned, would take the participant to a ‘malicious website’.

Results

  • In October of last year alone, 22% of real phishing attacks used QR codes.
  • Only 36% of recipients successfully identified and reported the simulated phishing attack
  • The retail industry had the highest miss rate, with only 2 in 10 employees successfully identifying and reporting suspicious QR codes.
  • Employees in communications roles were found to be 1.6 times more likely to engage with a QR code attack.

Want long-term protection? Here's what the research says

Engaged employees reduce human risk

The extent to which employees feel passionate about their jobs, are committed to the organization and its goals, and are motivated to contribute their best work will have a direct impact on your level of human cyber risk.

Staff engagement levels and cybersecurity readiness are very much linked.

Employees who weren't actively invested in their job and the organization as a whole had a miss rate of 90% (this means they missed phishing scams 9 out of 10 times).

Employees who were engaged with their work had a miss rate of just 40%.

Employee engagement vs human risk

Onboarded employees are more vigilant

New employees who completed the onboarding process and received pre-training were significantly more vigilant in identifying phishing emails than those who did not.

They felt better positioned to assess the potential threats in front of them and report questionable emails with confidence.

Onboarding process isn't just a formality.

It can actually be an incredibly important tool for ensuring that teams are ready to mitigate cyber risks.

Onboarded vs not onboarded employees - phishing test response

Active employees are more resilient

One of the most essential takeaways from our study is that active employees are about 14x better at catching QR code scams (and therefore traditional phishing attacks too) than those who aren’t active.

When we talk about 'active' employees, we just mean those with a vested interest in their organization’s day-to-day affairs.

These employees are more likely to pay attention to what is coming into their inboxes.

Active employees were more likely to avoid scanning the code altogether and failed less by a margin of roughly 25%.

Active employees vs cyber resilience

Long-term training improves performance

Regardless of their starting point, most employees will slowly become less vigilant over time - even with great onboarding.

And an employee's position, experience level or formal education doesn't make them any less likely to fall for an attack.

This is why training needs to be frequent.

Our analysis shows that longer-term training helps improve performance over time.

Those who participated over a period of 18 months scored better than those who had only trained for a short amount of time.

And employees with more training experience reported the suspicious QR code 3x more than employees new to the training.

Cybersecurity training shouldn't be a one-off event.

If employees are regularly trained, they will become more aware of potential threats, learn to spot anomalies faster, and have better defenses in place to protect the organization’s data and assets.

If you're looking to improve your organization's security posture, investing in ongoing training is absolutely essential.

This should include both initial onboarding and refresher courses that are provided regularly to ensure employees are kept up-to-date on the latest threats, vulnerabilities, and best practices.

How frequent training needs to be will depend on your organization-specific risk profile...

But training should be at least every six months.

Hoxhunt Challenge highlights

We shared a full breakdown of our findings on qr code scams in the webinar below 👇

Can you train employees using QR code phishing simulations?

QR code scams can be a bit more tricky to simulate than other types of phishing attacks.

You can create your simulated, fraudulent QR code and embed it into emails...

But how do you recreate QR code phishing attacks that employees might encounter in public spaces?

Well, this is exactly what we did with E.ON.

The Challenge

E.ON understands that some people are best reached by less conventional means.

So, we worked with E.ON to launch a QR code phishing campaign using physical stickers that would engage their 80,000 global employees and drive measurable and lasting behavior and culture change. 

In addition to QR phishing simulations delivered via Hoxhunt training, QR codes were printed out with the text, “DON’T SCAN” above them.

The stickers were distributed across workspaces in 8 countries.

If workers scanned them, they were shown a landing page that gently reminded them of the dangers of malicious QR codes.

The Results

EON found that 70% of survey respondents said they'd seen the QR code.

The campaign successfully provoked heightened awareness in employees.

Many were unaware that malicious QR codes existed.

But learning about QR phishing attacks in a supportive and non-judgmental way helped open their eyes to the broader problem of social engineering.

"We published an article about the Don't Scan QR code campaign on our intranet and 20% of employees saw the article where we revealed the campaign. To reach 20% with that content was a huge success for us. It was probably one of the most-seen articles within our intranet." - EON Security Awareness Manager

Reduce human cyber risk with Hoxhunt

Looking for phishing training that will measurably reduce risk?

Hoxhunt is the all in one human risk management platform purpose-built to maximize training outcomes by serving every user a personalized learning path that adapts to their skill level.

  • Deliver interactive, bite-sized training that employees love.
  • Drive results with realistic phishing simulations.
  • Reward employees for reporting simulated and real attacks with instant gratification, leaderboards and achievements.
  • Stay on top of your risk landscape with powerful drill down and benchmarking capabilities. 
Hoxhunt phishing training

Quishing FAQ

How are QR codes used in phishing attacks?

Scammers use QR codes to bypass traditional email filters and security measures.

They embed malicious codes in various physical and digital locations, such as code stickers on parking meters or codes in unexpected emails.

When scanned, these codes can redirect victims to fake websites designed to steal bank account credentials, credit card details, or install malware on personal devices.

What are some common signs of a quishing attack?

  • Unexpected emails: Receiving an email with a QR code from an unfamiliar email address, especially if it contains an unsolicited attachment or link.
  • Untrusted sources: QR codes found in unexpected places or from unknown sources, such as unsolicited emails or physical locations.
  • Promotional offers: Offers that seem too good to be true, often presented through a QR code, can be a trap.
  • Suspicious messages: Any message urging immediate action, such as payment processing or account verification, through a QR code.

Can QR codes from legitimate companies be trusted?

Even QR codes from seemingly legitimate companies can be compromised.

Always verify the context and source before scanning.

For instance, if you receive a QR code in an email claiming to be from a bank or government agency, contact the organization directly using a known phone number or website to verify its authenticity.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this